Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-12
CVE-2025-4666 - Zotpress Plugin
The Zotpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nickname’ parameter in all versions up to, and including, 7.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Zotpress
CVE-2025-4666
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-4774 - Premium Addons For Elementor Plugin
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Premium Addons For Elementor
CVE-2025-4774
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-4577 - Smash Balloon Social Post Feed Plugin
The Smash Balloon Social Post Feed – Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Smash Balloon Social Post Feed
CVE-2025-4577
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2025-2918 - Ultimate Blocks Plugin
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Blocks
CVE-2025-2918
Risk Score
Threat Entry
Updated 2025-07-02
CVE-2025-4954 - Axle Demo Importer Plugin
The Axle Demo Importer WordPress plugin through 1.0.3 does not validate files to be uploaded, which could allow authenticated users (author and above) to upload arbitrary files such as PHP on the server
PLUGIN
Axle Demo Importer
CVE-2025-4954
Risk Score
Threat Entry
Updated 2025-07-02
CVE-2025-4840 - Likes And Dislikes Plugin
The inprosysmedia-likes-dislikes-post WordPress plugin through 1.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
PLUGIN
Likes And Dislikes
CVE-2025-4840
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-3076 - Elementor Page Builder Plugin
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementor Page Builder
CVE-2025-3076
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-5925 - Bunnys Print Css Plugin
The Bunny’s Print CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.95. This is due to missing or incorrect nonce validation on the pcss_options_subpanel() function. This makes it possible for unauthenticated attackers to update settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bunnys Print Css
CVE-2025-5925
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-4601 - WordPress Core
The "RH - Real Estate WordPress Theme" theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 4.4.0. This is due to the theme not properly restricting user roles that can be updated as part of the inspiry_update_profile() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to set their role to that of an administrator. The vulnerability was partially patched in version 4.4.0, and fully patched in version 4.4.1.
CORE
WordPress Core
CVE-2025-4601
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-31396 - Allows Object Injection Theme
Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5.
THEME
Allows Object Injection
CVE-2025-31396
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-28945 - Allows Php Local File Inclusion Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Valen - Sport, Fashion WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Valen - Sport, Fashion WooCommerce WordPress Theme: from n/a through 2.4.
THEME
Allows Php Local File Inclusion
CVE-2025-28945
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2023-25999 - Allows Php Local File Inclusion Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme BodyCenter - Gym, Fitness WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects BodyCenter - Gym, Fitness WooCommerce WordPress Theme: from n/a through 2.4.
THEME
Allows Php Local File Inclusion
CVE-2023-25999
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-4652 - Before 1 Plugin
The Broadstreet WordPress plugin before 1.51.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 1
CVE-2025-4652
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-3582 - Before 8 Plugin
The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 8
CVE-2025-3582
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-3581 - Before 8 Plugin
The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 8
CVE-2025-3581
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-5568 - Event Manager And Tickets Selling For Woocommerce Plugin
The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Event Manager And Tickets Selling For Woocommerce
CVE-2025-5568
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2025-5528 - Sassy Social Share Plugin
The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.75 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link.
PLUGIN
Sassy Social Share
CVE-2025-5528
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2024-9994 - Essential Addons For Elementor Lite Plugin
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_pricing_item_tooltip_content parameter of the Pricing Table Widget in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Addons For Elementor Lite
CVE-2024-9994
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2024-9993 - Essential Addons For Elementor Lite Plugin
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_event_details_text parameter of Event Calendar Widget in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Addons For Elementor Lite
CVE-2024-9993
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-5303 - Ltl Freight Quotes Day Ross Edition Plugin
The LTL Freight Quotes – Freightview Edition, LTL Freight Quotes – Daylight Edition and LTL Freight Quotes – Day & Ross Edition plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the expiry_date parameter in all versions up to, and including, 1.0.11, 2.2.6 and 2.1.10 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ltl Freight Quotes Day Ross Edition
CVE-2025-5303
Risk Score